diff options
author | PW Hu <jlu.hpw@foxmail.com> | 2021-11-05 17:56:50 +0800 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2021-11-09 08:51:09 +0100 |
commit | 419afbf8a3adeffc598e32963bc041599b4007a8 (patch) | |
tree | a0bff9904d26484fed2ea68c4be957ebffcfa5ca | |
parent | 2cb802e16fff3fb2c57ae664baa7bd9ce3e33805 (diff) |
Fix: invoking X509_self_signed improperly
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16976)
(cherry picked from commit 64c428c35053a101a452c42d5d0a9a8342493606)
-rw-r--r-- | crypto/x509/x509_cmp.c | 8 | ||||
-rw-r--r-- | crypto/x509/x509_vfy.c | 4 |
2 files changed, 8 insertions, 4 deletions
diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c index 8b4e46a589..f3d58cdfa6 100644 --- a/crypto/x509/x509_cmp.c +++ b/crypto/x509/x509_cmp.c @@ -208,8 +208,12 @@ int X509_add_cert(STACK_OF(X509) *sk, X509 *cert, int flags) return 1; } } - if ((flags & X509_ADD_FLAG_NO_SS) != 0 && X509_self_signed(cert, 0)) - return 1; + if ((flags & X509_ADD_FLAG_NO_SS) != 0) { + int ret = X509_self_signed(cert, 0); + + if (ret != 0) + return ret > 0 ? 1 : 0; + } if (!sk_X509_insert(sk, cert, (flags & X509_ADD_FLAG_PREPEND) != 0 ? 0 : -1)) { ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE); diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 0e5b18f67e..d66b10950c 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -3231,7 +3231,7 @@ static int build_chain(X509_STORE_CTX *ctx) if (!ossl_assert(num == ctx->num_untrusted)) goto int_err; curr = sk_X509_value(ctx->chain, num - 1); - issuer = (X509_self_signed(curr, 0) || num > max_depth) ? + issuer = (X509_self_signed(curr, 0) > 0 || num > max_depth) ? NULL : find_issuer(ctx, sk_untrusted, curr); if (issuer == NULL) { /* @@ -3302,7 +3302,7 @@ static int build_chain(X509_STORE_CTX *ctx) CB_FAIL_IF(DANETLS_ENABLED(dane) && (!DANETLS_HAS_PKIX(dane) || dane->pdpth >= 0), ctx, NULL, num - 1, X509_V_ERR_DANE_NO_MATCH); - if (X509_self_signed(sk_X509_value(ctx->chain, num - 1), 0)) + if (X509_self_signed(sk_X509_value(ctx->chain, num - 1), 0) > 0) return verify_cb_cert(ctx, NULL, num - 1, num == 1 ? X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT |